jamf-cli

jamf-cli

Unified CLI for the Jamf platform. Supports Jamf Pro and Jamf Protect.

Documentation Wiki — full guides, configuration reference, and workflow recipes.

Command Explorer — interactive showcase of all commands, searchable and filterable. Auto-updated on every merge.

Installation

Homebrew (macOS and Linux)

brew install Jamf-Concepts/tap/jamf-cli

Binary releases

Download from GitHub Releases.

From source

go install github.com/Jamf-Concepts/jamf-cli/cmd/jamf-cli@latest

Quick Start

For interactive use, jamf-cli pro setup prompts for credentials so nothing is leaked to shell history, and stores them in the system keychain. Environment variables (JAMF_CLIENT_ID, JAMF_CLIENT_SECRET, etc.) are intended for automation workflows only — avoid setting them in interactive shells.

Jamf Pro

# One-time setup: prompts for credentials and stores them in the system keychain
jamf-cli pro setup --url https://jamf.company.com

# Multi-instance setup (MSPs): bootstrap credentials for many instances at once
jamf-cli pro setup --from-file instances.txt --scope standard

# Instance health dashboard
jamf-cli pro overview

# List computers
jamf-cli pro comp list -o table

# Extract just the names
jamf-cli pro comp list --field name

# Export inventory
jamf-cli pro comp list -o csv --out-file inventory.csv

# Show the JSON template for creating a building
jamf-cli pro buildings create --scaffold

# Create or update a building by name (upsert)
echo '{"name":"HQ","streetAddress1":"1 Apple Park Way"}' | jamf-cli pro buildings apply

# Apply from a file without confirmation
jamf-cli pro buildings apply --from-file building.json --yes

# Delete a building by name
jamf-cli pro buildings delete --name "HQ" --yes

# Device actions by serial number
jamf-cli pro comp blank-push --serial C02X1234
jamf-cli pro comp redeploy-framework --serial C02X1234
jamf-cli pro comp erase --serial C02X1234 --yes

# Device actions targeting a group
jamf-cli pro comp blank-push --group "All Macs" --yes
jamf-cli pro md unmanage --group "Retired iPads" --yes --confirm-destructive

# Classic API MDM commands
jamf-cli pro comp lock --serial C02X1234 --yes --confirm-destructive
jamf-cli pro md update-inventory --id 42 --yes

# Device deep-dive
jamf-cli pro device C02X1234

# Fleet security report
jamf-cli pro report security -o table

# Run a command against multiple instances
jamf-cli multi --filter 'pro-*' -- pro buildings apply --from-file building.json --yes

See the Setup Guide for the full walkthrough.

Features

Jamf Pro

• Full API coverage — Modern API (OpenAPI-generated) and Classic API (/JSSResource/) commands
• overview — Instance dashboard with 37 parallel API calls: inventory, enrollment, MDM, alerts
• scope — View, add to, and remove from scope on policies, config profiles, restricted software, and apps — no XML editing required
• Device actions — Erase, remove MDM, redeploy framework, blank push, DDM sync, renew MDM, lock, enable/disable Remote Desktop (computers); erase, unmanage, restart, shutdown, update inventory (mobile devices). Target by serial number, name, ID, group, or file. Destructive bulk operations require --confirm-destructive
• device — Aggregated device deep-dive: identity, hardware, OS, security posture, user info, MDM command history, policy logs
• report security — Fleet security posture: FileVault, Gatekeeper, SIP, firewall rates, OS version distribution, flagged devices

Jamf Platform (via Gateway)

• Blueprints — CRUD, deploy/undeploy, clone, scope management (add/remove device groups by name), component scaffolds, import Classic configuration profiles as blueprints with automatic DDM conversion (passcode policies, Safari settings, software update deferrals, RSR settings, software update preferences are promoted to native DDM components; --legacy to skip conversion)
• Compliance Benchmarks — Benchmark CRUD, baselines, rules, device compliance results, stats
• Platform Devices — Unified device inventory, actions (check-in, erase, restart, shutdown, unmanage)
• Platform Device Groups — CRUD, membership management
• DDM Reports — Device declaration status, declaration clients

Jamf Protect

• Full SDK coverage — Plans, analytics, analytic sets, exception sets, USB control, telemetry, prevent lists, unified logging filters, roles, users, groups, API clients, and org settings
• overview — Instance dashboard with 14 parallel API calls: endpoints, security config, data forwarding, access
• apply — Idempotent upsert: creates or replaces resources by name, with confirmation. --scaffold prints an empty JSON template
• export / import — Round-trip configuration as JSON or YAML. Plans and analytic sets use names (not IDs) for portability across tenants
• Community analytics — Import YAML analytics from the jamf/jamfprotect repository
• Downloads — Installer packages, configuration profiles (.mobileconfig), and certificates
• Granular mutations — Add/remove rules on USB control sets, analytics on sets, exceptions on sets

Cross-product

• --field — Extract a single field from any response: jamf-cli pro comp list --field id
• apply — Name-based upsert: creates if new, replaces if existing (with confirmation)
• patch — JSON Merge Patch (RFC 7386): update individual fields without a full replace. Use --set key=value for scalar fields or pipe a merge-patch document. Accepts --name, --serial, --udid (resource-dependent) in place of an ID. --scaffold prints the patchable field template
• --name flag — get, update, delete, and patch commands all accept --name (and resource-specific alternates like --serial, --udid) in place of a positional ID
• --scaffold — Print JSON templates for create/update commands with example values
• Five output formats — table, json, csv, yaml, plain
• Auto-pagination — --all fetches every page; --limit caps results
• Dry-run mode — --dry-run previews writes without executing
• multi — Run any command against multiple profiles: jamf-cli multi --filter 'pro-*' -- pro comp list. Supports glob patterns, file input (profile names or URLs), and interactive selection
• Destructive safeguards — Delete and replace operations require --yes confirmation
• setup — Bootstrap API roles and OAuth2 credentials from a username/password. Idempotent (safe to re-run): updates roles and integrations in place without rotating credentials. Use --rotate-credentials to explicitly regenerate secrets. Supports multi-instance setup via --from-file for MSPs
• System keychain — Secrets stored via macOS Keychain or Linux secret-service
• Jamf Platform Gateway — Route Jamf Pro through regional gateways with --tenant-id

Configuration

Config file: ~/.config/jamf-cli/config.yaml

default-profile: prod
default-output: table

profiles:
  prod:
    url: https://jamf.company.com
    auth-method: oauth2
    client-id: abc123
    client-secret: env:JAMF_PROD_SECRET

  protect:
    product: protect
    url: https://tenant.protect.jamfcloud.com
    auth-method: oauth2
    client-id: keychain:jamf-cli/protect/client-id
    client-secret: keychain:jamf-cli/protect/client-secret

  # Platform Gateway auth (routes Jamf Pro through regional gateway)
  platform-prod:
    url: https://us.apigw.jamf.com
    auth-method: platform
    client-id: env:PLATFORM_CLIENT_ID
    client-secret: env:PLATFORM_CLIENT_SECRET
    tenant-id: e5b39e85-5ecd-4d40-9d13-02c7cf21c762

Jamf Pro supports three auth methods: oauth2, token, and platform. Jamf Protect uses oauth2 only. Three secret formats: env:VAR, file:/path, keychain:service/account.

Least privilege: When creating API roles for use with jamf-cli, grant only the privileges required for the endpoints you need to access. Jamf Pro maps each API endpoint to a specific privilege — consult the Privileges and Deprecations reference to determine the minimum set of permissions for your workflow.

See the wiki for full details: Configuration & Profiles · Secrets & Keychain

Command Structure

Each product has its own namespace:

jamf-cli pro <command> [subcommand] [flags]       # Jamf Pro
jamf-cli protect <command> [subcommand] [flags]    # Jamf Protect

Aliases

Full command catalog: Command Reference · Output Formats · Common Workflows

Exit Codes

See Error Handling & Exit Codes for structured JSON errors, retry logic, and scripting patterns.

Shell Completion

jamf-cli completion install

Supports bash, zsh, fish, and PowerShell. See the Setup Guide for manual installation.

Development

make build       # Build binary
make test        # Run tests
make lint        # Lint code
make generate    # Generate commands from OpenAPI specs

See Architecture & Development for project structure and contributing guidelines.

Troubleshooting

Debug output

Add --verbose (or -v) to any command to print HTTP request and response details to stderr:

jamf-cli pro comp list --verbose

To capture debug output to a file:

jamf-cli pro comp list --verbose 2>debug.log

Authentication errors (exit code 3)

• Run jamf-cli pro setup (or jamf-cli protect setup) to reconfigure credentials.
• Verify the active profile with jamf-cli config list.
• Check that env vars (JAMF_CLIENT_ID, JAMF_CLIENT_SECRET, JAMF_URL) are not overriding your config profile unintentionally.
• For OAuth2, confirm the API client is enabled in Jamf Pro and has the required privileges.

Not found / permission errors (exit codes 4–5)

• Confirm the resource exists: try a list command first.
• Check that the API role has the minimum privileges for the endpoint. See Privileges and Deprecations.

Rate limiting (exit code 6)

jamf-cli retries automatically with exponential backoff when rate-limited. If you're consistently hitting limits, add --limit to reduce page sizes or introduce delays between commands in scripts.

Previewing changes safely

Use --dry-run (-n) to see what a write command would do without executing it:

jamf-cli pro buildings apply --from-file building.json --dry-run

Bugs and feature requests

Please file an issue in GitHub Issues.

License

Copyright (c) 2026 Jamf Software LLC.

This project is distributed under the MIT License.